Merge branch 'master' of https://github.com/docker-flow/docker-flow-proxy

Author: Viktor Farcic

Dockerfile

@@ -1,16 +1,23 @@
-FROM golang:1.9.6 AS build
+FROM golang:1.11.0-alpine AS build
 ADD . /src
 WORKDIR /src
-RUN go get -d -v -t
-RUN go test --cover ./... --run UnitTest
-RUN go build -v -o docker-flow-proxy
+RUN set -x \
+    && apk add --update --no-cache --no-progress git g++ \
+    && go get -d -v -t \
+    && go test --cover ./... --run UnitTest \
+    && go build -v -o docker-flow-proxy
 
 
-FROM haproxy:1.8.8-alpine
-MAINTAINER 	Viktor Farcic <viktor@farcic.com>
+FROM haproxy:1.8.13-alpine
+LABEL org.opencontainers.image.title="Docker Flow Proxy" \
+    org.opencontainers.image.description="Automated HAProxy Reverse Proxy for Docker" \
+    org.opencontainers.image.url="https://proxy.dockerflow.com" \
+    org.opencontainers.image.licenses="MIT" \
+    org.opencontainers.image.authors="Viktor Farcic <viktor@farcic.com>" \
+    org.opencontainers.image.source="https://github.com/docker-flow/docker-flow-proxy"
 
-RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2
-RUN mkdir -p /cfg/tmpl /templates /certs /logs
+RUN apk --update --no-cache --no-progress add tini \
+    && mkdir -p /cfg/tmpl /templates /certs /logs
 
 ENV CERTS="" \
     CAPTURE_REQUEST_HEADER="" \
@@ -39,21 +46,20 @@ ENV CERTS="" \
     TIMEOUT_HTTP_REQUEST="5" TIMEOUT_HTTP_KEEP_ALIVE="15" TIMEOUT_CLIENT="20" TIMEOUT_CONNECT="5" TIMEOUT_QUEUE="30" TIMEOUT_SERVER="20" TIMEOUT_TUNNEL="3600" \
     USERS="" \
     SKIP_ADDRESS_VALIDATION="true" \
-    SSL_BIND_OPTIONS="no-sslv3" SSL_BIND_CIPHERS="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
+    SSL_BIND_OPTIONS="ssl-min-ver TLSv1.2 no-tls-tickets" \
+    SSL_BIND_CIPHERS="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM"
 
-EXPOSE 80
-EXPOSE 443
-EXPOSE 8080
+EXPOSE 80 \
+    443 \
+    8080
 
-RUN apk --no-cache add tini
 ENTRYPOINT ["/sbin/tini", "-g", "--"]
 CMD ["docker-flow-proxy", "server"]
 HEALTHCHECK --interval=5s --start-period=3s --timeout=10s CMD check.sh
 
 COPY scripts/check.sh /usr/local/bin/check.sh
-RUN chmod +x /usr/local/bin/check.sh
 COPY errorfiles /errorfiles
 COPY haproxy.cfg /cfg/haproxy.cfg
 COPY haproxy.tmpl /cfg/tmpl/haproxy.tmpl
 COPY --from=build /src/docker-flow-proxy /usr/local/bin/docker-flow-proxy
-RUN chmod +x /usr/local/bin/docker-flow-proxy
+RUN chmod +x /usr/local/bin/docker-flow-proxy /usr/local/bin/check.sh

actions/reconfigure_test.go

@@ -741,7 +741,8 @@ func (s ReconfigureTestSuite) Test_Execute_WritesServerSession() {
 	s.reconfigure.AclName = "my-service"
 	s.reconfigure.ServiceDest[0].Port = "1111"
 	s.reconfigure.ServiceDest[0].HttpsPort = 2222
-	s.reconfigure.Tasks = []string{"1.2.3.4", "4.3.2.1"}
+	// The expectedData will place these ips in order
+	s.reconfigure.Tasks = []string{"4.3.2.1", "1.2.3.4"}
 	s.reconfigure.SessionType = "sticky-server"
 	var actualData string
 	expectedData := `

docs/config.md

@@ -45,8 +45,8 @@ The following environment variables can be used to configure the *Docker Flow Pr
 |SERVICE_DOMAIN_ALGO|The default algorithm applied to domain ACLs. It can be overwritten for a service through the `serviceDomainAlgo` parameter.<br>**Examples:**<br>`hdr(host)`: matches only if domain is the same as `serviceDomain`<br>`hdr_dom(host)`: matches the specified `serviceDomain` and any subdomain (a string either isolated or delimited by dots).<br>`req.ssl_sni`: matches Server Name TLS extension<br>**Default Value:** `hdr_beg(host)`|
 |SERVICE_NAME       |The name of the service. It must be the same as the value of the `--name` argument used to create the proxy service. Used only in the *swarm* mode.<br>**Example:** `my-proxy`<br>**Default value:** `proxy`|
 |SKIP_ADDRESS_VALIDATION|Whether to skip validating service address before reconfiguring the proxy.<br>**Example:** false<br>**Default value:** `true`|
-|SSL_BIND_CIPHERS   |Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as `AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH`.<br>**Default value:** see [Dockerfile](https://github.com/docker-flow/docker-flow-proxy/blob/master/Dockerfile#L31)|
-|SSL_BIND_OPTIONS   |Sets default ssl-options to force on all "bind" lines.<br>**Default value:** `no-sslv3`|
+|SSL_BIND_CIPHERS   |Sets the default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for all "bind" lines which do not explicitly define theirs. The format of the string is defined in "man 1 ciphers" from OpenSSL man pages, and can be for instance a string such as `EECDH+AESGCM:EDH+AESGCM`.<br>**Default value:** see [Dockerfile](https://github.com/docker-flow/docker-flow-proxy/blob/master/Dockerfile#L42)|
+|SSL_BIND_OPTIONS   |Sets default ssl-options to force on all "bind" lines.<br>**Default value:** `ssl-min-ver TLSv1.2 no-tls-tickets`|
 |STATS_USER         |Username for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-user<br>**Default value:** `admin`|
 |STATS_USER_ENV     |The name of the environment variable that holds the username for the statistics page.<br>**Example:** MY_USER<br>**Default value:** `STATS_USER`|
 |STATS_PASS         |Password for the statistics page. If not set, stats will not be available. If both `STATS_USER` and `STATS_PASS` are set to `none`, statistics will be available without authentication.<br>**Example:** my-pass<br>**Default value:** `admin`|

logging/logging_test.go

@@ -41,7 +41,7 @@ func (s LoggingTestSuite) Test_StartLogging_OutputsSyslogToStdOut() {
 		expected := fmt.Sprintf("This is a syslog message %d", i)
 		go sysLog.Info(expected)
 		logged := false
-		for c := 0; c < 200; c++ {
+		for c := 0; c < 1000; c++ {
 			if strings.Contains(actual, expected) {
 				logged = true
 				break

proxy/ha_proxy.go

@@ -302,6 +302,25 @@ backend dummy-be
 }
 
 func (m HaProxy) getConfigData() configData {
+
+	services := Services{}
+	hasHTTP := false
+	for _, s := range dataInstance.Services {
+		if len(s.AclName) == 0 {
+			s.AclName = s.ServiceName
+		}
+		services = append(services, s)
+		for i := range s.ServiceDest {
+			if len(s.ServiceDest[i].ReqMode) == 0 {
+				s.ServiceDest[i].ReqMode = "http"
+			}
+			if s.ServiceDest[i].ReqMode == "http" {
+				hasHTTP = true
+			}
+		}
+	}
+	includeDefaultPorts := (len(services) == 0) || hasHTTP
+
 	d := configData{
 		CertsString: m.getCertsConfigSnippet(),
 	}
@@ -328,11 +347,13 @@ func (m HaProxy) getConfigData() configData {
 	m.addCompression(&d)
 	m.addDebug(&d)
 
-	defaultPortsString := getSecretOrEnvVar("DEFAULT_PORTS", "")
-	defaultPorts := strings.Split(defaultPortsString, ",")
-	for _, bindPort := range defaultPorts {
-		formattedPort := strings.Replace(bindPort, ":ssl", d.CertsString, -1)
-		d.DefaultBinds += fmt.Sprintf("\n    bind *:%s", formattedPort)
+	if includeDefaultPorts {
+		defaultPortsString := getSecretOrEnvVar("DEFAULT_PORTS", "")
+		defaultPorts := strings.Split(defaultPortsString, ",")
+		for _, bindPort := range defaultPorts {
+			formattedPort := strings.Replace(bindPort, ":ssl", d.CertsString, -1)
+			d.DefaultBinds += fmt.Sprintf("\n    bind *:%s", formattedPort)
+		}
 	}
 	extraGlobal := getSecretOrEnvVarSplit("EXTRA_GLOBAL", "")
 	if len(extraGlobal) > 0 {
@@ -356,18 +377,6 @@ func (m HaProxy) getConfigData() configData {
 				values[1])
 		}
 	}
-	services := Services{}
-	for _, s := range dataInstance.Services {
-		if len(s.AclName) == 0 {
-			s.AclName = s.ServiceName
-		}
-		services = append(services, s)
-		for i := range s.ServiceDest {
-			if len(s.ServiceDest[i].ReqMode) == 0 {
-				s.ServiceDest[i].ReqMode = "http"
-			}
-		}
-	}
 	m.getSni(&services, &d)
 	return d
 }